RE: Dialup Admin - Can't see any mysql record
It happens with all pages. This is the sql_debug if one presses Show Groups: DEBUG(SQL,MYSQL DRIVER): Query: SELECT COUNT(*) as counter,groupname FROM usergroup GROUP BY groupname; DEBUG(SQL,MYSQL DRIVER): Query Result: Num rows:: 6 But there is nothing on the page. Also, when pressing Online Users I get: DEBUG(SQL,MYSQL DRIVER): Query: SELECT * FROM nas ; Fatal error: Cannot redeclare xlat() in /opt/radius/dialup_admin/lib/xlat.php3 on line 2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Mittwoch, 7. Juli 2004 19:56 To: '[EMAIL PROTECTED]' Subject: RE: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: @Kostas Kalevras: sql_debug is enabled. I see dialup admin can connect to mysql radius db. Sometimes (Show Groups Button) it says. Returning 6 rows. But i don't see any row returning. While using the new CVS snippet, the only thing i did not upgrade is to use the changed mysql scheme's. I saw some fields changed. For example: in userinfo.sql Name changed to Admin. But i don't think this is the problem. Can you help ? Does this happen with all the pages or only with specific ones? Are the sql queries run correct? best rgds Karel -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 07.07.04 17:12 Subject: Re: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: suse 9.1 experience - freeradius
Just wondering if anyone else has tried running out-of-the-box freeradius and openssl versions on SuSE 9.1 pro and had any issues? A lot of problems using last snapshots (suse9.1 and debian sid): leaving enable shared lib. rlm_eap rlm_eap_ttls rlm_eap_peap disappear and get no linking. Disabling sharing with --disable-shared crash on rlm_krb5 making ... /usr/lib/libkrb5.a(codec.o)(.text+0xaf): In function `krb5_decode_EncKrbCredPart': : undefined reference to `decode_EncKrbCredPart' /usr/lib/libkrb5.a(codec.o)(.text+0xdf): In function `krb5_encode_Authenticator': : undefined reference to `encode_Authenticator' /usr/lib/libkrb5.a(codec.o)(.text+0x10f): In function `krb5_decode_Authenticator': : undefined reference to `decode_Authenticator' /usr/lib/libkrb5.a(codec.o)(.text+0x13f): In function `krb5_encode_EncAPRepPart': : undefined reference to `encode_EncAPRepPart' /usr/lib/libkrb5.a(codec.o)(.text+0x16f): In function `krb5_decode_EncAPRepPart': : undefined reference to `decode_EncAPRepPart' /usr/lib/libkrb5.a(codec.o)(.text+0x19f): In function `krb5_encode_EncTGSRepPart': : undefined reference to `encode_EncTGSRepPart' /usr/lib/libkrb5.a(codec.o)(.text+0x1cf): In function `krb5_decode_EncTGSRepPart': : undefined reference to `decode_EncTicketPart' ... [... x 100] I tried disabling rlm_krb5 but some elese crash about libpg and kerberus. A lot of warning everywhere. I used CFLAGS=$RPM_OPT_FLAGS -I/usr/include/security -I/usr/include/et ./configure \ --prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --libexecdir=/usr/libexec \ --datadir=/usr/share \ --sysconfdir=/etc \ --localstatedir=/var \ --libdir=/usr/lib/freeradius \ --includedir=/usr/include \ --infodir=/usr/share/info \ --mandir=/usr/share/man \ --with-threads \ --with-thread-pool \ --with-snmp \ --with-large-files \ --disable-ltdl-install \ --with-ltdl-lib=/usr/lib \ --with-ltdl-include=/usr/include \ --with-gnu-ld \ --enable-heimdal-krb5 \ --with-openssl-includes=/usr/include/openssl \ --with-openssl-libraries=/usr/lib \ --with-rlm-krb5-include-dir=/usr/include/heimdal \ --with-rlm-krb5-lib-dir=/usr/lib \ --disable-shared \ --enable-developer \ --enable-strict-dependencies Some Cflags add in order to patch com_err.h and pam_appl.h folders. I tried also to patch rlm_krb5.c as suse done on 0.93 #include et/com_err.h -static int verify_krb5_tgt(krb5_context context, rlm_krb5_t *instance, +static int verify_krb5_tgt(krb5_context context, but it' wasn't useful. Same errors on suse 9.1 an Deb sid upgraded. So I'd like to know how you got rid of these problems, which snapshot did you use and which configure file. No more than a week or two ago I succeded in compiling and I got server working, so I suppose some changes in last snapshot are causing all these problems on krb5. I also think that forcing static modules on rlm_eap sub type is causing ttls and peap disappearing. It is the case of Inter-library dependencies in this simplified way: rlm_eap ---static modules link rlm_eap_tls--(-lname link)-- crypto lib !^ ^ !! ! !stm-- rlm_eap_ttsl sh lib -- | !stm-- rlm_eap_peap sh lib | warning say: linking a shared lib to loadable module is not portable It seems to me true: in order to have other non libtool modules linked in these situations linking is asked in a chain of shared lib with libtools. But forcing static modules outside libtools rules breaks the ring. [1] Looking at rules.mak we can find: # If the module is in the list of static modules, then the dynamic # library is built statically, so that the '.la' file contains the # libraries that the module depends on. # # Yes, this is a horrible hack. # ifeq ($(findstring $(TARGET),$(STATIC_MODULES)),) LINK_MODE=-export-dynamic ... And in all .la files we find # Should we warn about portability when linking against -modules? shouldnotlink=yes Look at rlm_eap dependency_libs=' /usr/src/packages/SOURCES/freeradius-1.1.0/src/lib/libradius.la -lcrypt -L/usr/lib -lssl -lnsl -lresolv -lpthread -lcrypto ' we can't find submodule forced in static linking, I beelieve because the fact static was forced (wasn't better declare them in $(STATIC_MODULES) as written in rules.mak ? I ask neh, I'm not sure at all.). So I did a thing: restore as original makefile.in adding or deleting # Some little adjustment to spec file (didn't find *.so and stopped rpm building) Et voila'. + '[' /var/tmp/freeradius-1.1.0-build '!=' / ']' + '[' -d /var/tmp/freeradius-1.1.0-build ']' + rm -rf /var/tmp/freeradius-1.1.0-build Krb5 will never sure work, but it was to easy : My little brain is saying: if they did it some valid reason have to be. (bugs ... crash, I don't know) So starting radiusd I see rlm_exec is not found even if it's in freradius/lib. Strace -f: it' s not
Re: Simultaneous Use
I guess then that it is not really possible with RADIUS alone? I it is possible, make use of simultaneous-use attribute. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user can not get the ipaddress
Hi,all
i configure the freeradius with mysql .when send the Access-Request ,and can
receive the Access-Accept.I can see
that authenticate is pass .but radius server can not send the ipaddress to user
radius -X
rad_recv: Access-Request packet from host 62.1.32.7:1645, id=248, length=111
NAS-IP-Address = 62.1.32.7
NAS-Port = 1
NAS-Port-Type = ISDN-V120
User-Name = [EMAIL PROTECTED]
Calling-Station-Id = xxx
CHAP-Password = 0x0b43a46dd00f1875ed6eb7e492db3eb3c1
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module chap returns ok
modcall[authorize]: module mschap returns notfound
rlm_realm: Looking up realm picc.133vpdn.hi for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm picc.133vpdn.hi
modcall[authorize]: module suffix returns noop
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module files returns ok
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [EMAIL PROTECTED]/CHAP-Password] (from client router2610 port 1 cli
460030922009519)
Sending Access-Accept of id 248 to 62.1.32.7:1645
Framed-IP-Address := 255.255.255.254
Framed-MTU = 1500
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 62.1.32.7:1646, id=249, length=147
NAS-IP-Address = 62.1.32.7
NAS-Port = 1
NAS-Port-Type = ISDN-V120
User-Name = [EMAIL PROTECTED]
Calling-Station-Id = 460030922009519
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = 002D
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = xxx.xxx.xxx.xxx
Acct-Tunnel-Connection = 130029855
Acct-Delay-Time = 0
modcall: entering group preacct
modcall[preacct]: module preprocess returns noop
rlm_realm: Looking up realm picc.133vpdn.hi for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm picc.133vpdn.hi
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute 87 was not found in request, unique ID MAY be
inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 62.1.32.7,NAS-IP-Address =
62.1.32.7,Acct-Session-Id = 002D,User-Name = [EMAIL PROTECTED]'
rlm_acct_unique: Acct-Unique-Session-ID = 109123494d0ff70e.
modcall[accounting]: module acct_unique returns ok
radius_xlat: '/usr/local/var/log/radius/radacct/detail-07'
rlm_detail: /usr/local/var/log/radius/radacct/detail-%m expands to
/usr/local/var/log/radius/radacct/detail-07
modcall[accounting]: module detail returns ok
modcall[accounting]: module unix returns ok
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '002D',
'109123494d0ff70e', '[EMAIL PROTECTED]', '', '62.1.32.7', '1', 'ISDN-V120',
'2004-07-08 16:16:46', '0', '0', 'RADIUS', '', '', '0', '0', '', '460030922009519',
'', 'Framed-User',
RE: Dialup Admin - Can't see any mysql record
On Thu, 8 Jul 2004, Stadler Karel wrote: It happens with all pages. This is the sql_debug if one presses Show Groups: DEBUG(SQL,MYSQL DRIVER): Query: SELECT COUNT(*) as counter,groupname FROM usergroup GROUP BY groupname; DEBUG(SQL,MYSQL DRIVER): Query Result: Num rows:: 6 But there is nothing on the page. I 've tested the CVS version myself and it works just fine. So try checking your configuration again. What is our installation (mysql,apache versions?) Also, when pressing Online Users I get: DEBUG(SQL,MYSQL DRIVER): Query: SELECT * FROM nas ; Fatal error: Cannot redeclare xlat() in /opt/radius/dialup_admin/lib/xlat.php3 on line 2 Those problems have been fixed in the CVS. Thanks a lot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Mittwoch, 7. Juli 2004 19:56 To: '[EMAIL PROTECTED]' Subject: RE: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: @Kostas Kalevras: sql_debug is enabled. I see dialup admin can connect to mysql radius db. Sometimes (Show Groups Button) it says. Returning 6 rows. But i don't see any row returning. While using the new CVS snippet, the only thing i did not upgrade is to use the changed mysql scheme's. I saw some fields changed. For example: in userinfo.sql Name changed to Admin. But i don't think this is the problem. Can you help ? Does this happen with all the pages or only with specific ones? Are the sql queries run correct? best rgds Karel -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 07.07.04 17:12 Subject: Re: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, 7 Jul 2004, Arthur EBEL wrote:
Hi everybody,
My freeradius operate very well with an openldap directory
All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr
can be authenticated.
I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr
BUT I don't want to give an access to all my tree dc=utt,dc=fr
How can I set up the LDAP module to do this ?
Here is my radiusd.conf about ldap
ldap {
server = server.utt.fr
basedn = ou=people,ou=personnels,dc=utt,dc=fr
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {crypt}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
Thx
Use two ldap module instances.
Arthur EBEL
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using wildcards in realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: | You can use the preproxy_users file to re-write the User-Name | before it's proxied. | Yes, but it's never being processed, because uni-leipzig.de is my local realm. So the proxying request gets canceled: ~ WARNING: You set Proxy-To-Realm = uni-leipzig.de, but it is a LOCAL \ ~ Realm! Cancelling invalid proxy request. So the the preproxy_users file won't be processed. Is there any way around it? Or do I get something wrong here? Regards, Arne -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA7T8ilKz+zKOoy+oRAvnUAJ9M7pFknOL+Vcrcry5ftZpB2VQJYwCfSdjQ p0JwsjBUQ6C1tMPEbKIOE+s= =4e6b -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin - Can't see any mysql record
I download and used the snippet from 2004-07-08 adjusted the config. No success so far. Version we use: Apache/1.3.23 mysql Ver 11.16 Distrib 3.23.49 By the way, still got Fatal error: Cannot redeclare xlat() in /opt/radius/dialup_admin/lib/xlat.php3 on line 2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Donnerstag, 8. Juli 2004 13:54 To: '[EMAIL PROTECTED]' Subject: RE: Dialup Admin - Can't see any mysql record On Thu, 8 Jul 2004, Stadler Karel wrote: It happens with all pages. This is the sql_debug if one presses Show Groups: DEBUG(SQL,MYSQL DRIVER): Query: SELECT COUNT(*) as counter,groupname FROM usergroup GROUP BY groupname; DEBUG(SQL,MYSQL DRIVER): Query Result: Num rows:: 6 But there is nothing on the page. I 've tested the CVS version myself and it works just fine. So try checking your configuration again. What is our installation (mysql,apache versions?) Also, when pressing Online Users I get: DEBUG(SQL,MYSQL DRIVER): Query: SELECT * FROM nas ; Fatal error: Cannot redeclare xlat() in /opt/radius/dialup_admin/lib/xlat.php3 on line 2 Those problems have been fixed in the CVS. Thanks a lot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Mittwoch, 7. Juli 2004 19:56 To: '[EMAIL PROTECTED]' Subject: RE: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: @Kostas Kalevras: sql_debug is enabled. I see dialup admin can connect to mysql radius db. Sometimes (Show Groups Button) it says. Returning 6 rows. But i don't see any row returning. While using the new CVS snippet, the only thing i did not upgrade is to use the changed mysql scheme's. I saw some fields changed. For example: in userinfo.sql Name changed to Admin. But i don't think this is the problem. Can you help ? Does this happen with all the pages or only with specific ones? Are the sql queries run correct? best rgds Karel -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 07.07.04 17:12 Subject: Re: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication
Hello, Is it normal that I see in radius.log : Tue Jul 8 15:15:15 2004 : auth: Login incorrect : [username/pasword] (from client clientname port 0) where password is crypted. Before, when I'm usinq users file I see the password in clear text ! Regards Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 04 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxying using fail_over setup
Htin Hlaing [EMAIL PROTECTED] wrote: Thanks for that info Alan. That makes sense. Also, what I was looking for is that the second server set up will be tried automatically as the first one is marked death. By the time FreeRADIUS realizes that the home server is dead, the NAS has probably given up on the request. So it's generally not a good idea to send the request to a different home server. There are limited cases where I can see it being useful, but there's no code in the server to support that functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxying using fail_over setup
Htin Hlaing [EMAIL PROTECTED] wrote: Now this time with round robin setup. What I am seeing is that each access request are being sent out in round robin even within the same authentication session. So, server1 gets the first access-request and sends access-challenge out and the access-request in response to the challenge gets sent to server2. Now, server1 waits for the access-request while the server2 does not know about the access-request it gets and drops. So, authentication never finishes. Yup. The server SHOULD keep track of the State attribute in Access-Challenges, and proxy the new Access-Request back to the home server. This isn't in 1.0.0, and may go in 1.1.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need to implement EAP/TLS, what version of FreeRadius is good for that?
Using the latest version of both freeradius (1.0.0 pre) and openssl 0.9.7d I have had good success. http://www.dslreports.com/forum/remark,9286052~mode=flat is a good link to follow. -Mark On Wed, 2004-07-07 at 19:38, Mara Bezaida Diaz Vsquez wrote: Hello, i'm Maria Bezaida and i'm going to implement EAP/TLS with Xsupplicant and Windows XP. What version of FreeRadius and Openssl do you recommend me to a correct implementation. Can you tell me if there is a good manual or somethig that help me in the implementation? And how can i generate my own certificates? Thanks you very Much. Maria Bezaida __ MSN Amor Busca tu naranja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin ERROR
Hello Kostas, got an error after successfully patch user_finger.php3. Parse error: parse error, unexpected T_STRING in /usr/local/www/data-dist/dialup_admin/htdocs/user_finger.php3 on line 87 nas_admin.php3 error: Jul 8 23:21:24 diameter postgres[562]: [3-1] ERROR: syntax error at or near ORDER at character 16 thanks.. - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 9:57 PM Subject: Re: dialup_admin ERROR On Tue, 6 Jul 2004, apellido jr., wilfredo p. wrote: Hello guys, got this error under Online Users (user_finger.php3) Jul 6 13:22:46 diameter postgres[496]: [2-1] ERROR: column radacct.acctstarttime must appear in the GROUP BY clause or be used in an aggregate function FreeRADIUS Version 1.0.0-pre3, for host , built on Jul 6 2004 at 01:54:36 Freebsd 4.18 psql (PostgreSQL) 7.4.3 Any suggestion is highly appreciated... Thanks Try this simple patch. Please report results. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
you can turn the reporting of password off in the rad.conf file it is a great debugging tool Brian On Thu, 2004-07-08 at 07:21, Jean Frontin wrote: Hello, Is it normal that I see in radius.log : Tue Jul 8 15:15:15 2004 : auth: Login incorrect : [username/pasword] (from client clientname port 0) where password is crypted. Before, when I'm usinq users file I see the password in clear text ! Regards Jean Frontin System team I R I T Université Paul-Sabatier 118, rte de Narbonne 31062 Toulouse cedex 04 France tel (33)(0)5 61 55 63 03 mail [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
timezone
hi, how does freeradius get the time of accounting packets? i set localtime and mysqltime to utc/gmt, but freeradius is dateing the accounting packets with the time in my zone. is the time maybe taken from the nas in the timestamp attribute? i need utc/gmt for easier accounting to sommer and winter time. thanks for any answer. regards, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius log question
as i interpret this, when connecting to cisco AS5320 router, port collision occurred in a way that a user is already using port while the other is trying to use the same port, anyone can further advise pls.? Thu Jul 8 20:43:10 2004 : Info: rlm_radutmp: Login entry for NAS sub.domain.com port 278 duplicate Thu Jul 8 20:43:10 2004 : Info: rlm_radutmp: Login entry for NAS sub.domain.com port 278 duplicate thank you. milver nisay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius log question
Milver S. Nisay [EMAIL PROTECTED] wrote: as i interpret this, when connecting to cisco AS5320 router, port collision occurred in a way that a user is already using port while the other is trying to use the same port, anyone can further advise pls.? duplicate means the same, not similar. Thu Jul 8 20:43:10 2004 : Info: rlm_radutmp: Login entry for NAS sub.domain.com port 278 duplicate This means that the server received two accounting start packets for the same user. It's an informational message, and isn't an error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius cyrus imap
Hello, Recently I installed a fileserver suse standard server 8.0 as PDC Running samba , I also installed freeradius server on the same box, my cisco 3005 concentrator vpn clients are getting authenticated by freeradius server with pam. I also have an email server on a different box but in the same network. My email server runs postfix with cyrus imap. I would like to authenticate my mail users from the samba radius server. Is this possible? Should I install radius server on the mail server as well? so I can proxy it. I appreciate your suggestions and help. Thanks Memo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with EAP-TLS causes Windows XP to crash
Hi,
I have installed freeradius-1.0.0-pre3 from source on my Linux-MIPS Debian
GNU/Linux box.
The basic stuff all works and the server boots without problems. I have
set my D-Link DWL-900AP+ 802.11g access point up to use 802.1X with my
Linux box as Radius server.
I have generated root, server and client certificate, and imported the
root and client cert. on my XP Pro box. The XP box is a Sony Vaio laptop
with a built-in Intel WLAN card.
The wireless LAN works fine with WEP shared key authentication and with
encryption disabled.
But when I try to connect, the XP box crashes (blue screen), with this
info:
DRIVER_IRQL_NOT_LESS_OR_EQUAL
*** ndisuio.sys - Address BAA66B51 base at BAA65000, DateStamp 3f2b8682
If radiusd is not running, XP doesn't crash (but also doesn't connect,
obviously).
My radiusd -X -A output for this request:
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.4.252:1028, id=4,
length=141
User-Name = Thomas Horsten
NAS-Identifier = AP8628-12345
NAS-IP-Address = 10.10.4.252
NAS-Port = 37
NAS-Port-Type = Wireless-802.11
Called-Station-Id = 0080c837f1ae
Calling-Station-Id = 000e3510cb56
Framed-MTU = 1400
EAP-Message = 0x020100130154686f6d617320486f727374656e
Message-Authenticator = 0x1f374004482bcbce2b80480b474585b3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = Thomas Horsten, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 1 length 19
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched Thomas Horsten at 78
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 4 to 10.10.4.252:1028
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x35499d3c6d3c0c027c5881f97a81f1dc
Finished request 0
Any ideas what is wrong? Some more information below..:
eap.conf extract:
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password =
private_key_file = ${raddbdir}/certs/home.pem
certificate_file = ${raddbdir}/certs/home.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = yes
check_cert_cn = %{User-Name}
}
mschapv2 {
}
}
users extract:
Thomas Horsten Auth-Type := EAP
Windows configuration: I haven't changed anything from the standard
configuration, other than installing the certificates.
- Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with EAP-TLS causes Windows XP to crash
Thomas Horsten wrote: DRIVER_IRQL_NOT_LESS_OR_EQUAL *** ndisuio.sys - Address BAA66B51 base at BAA65000, DateStamp 3f2b8682 Windows configuration: I haven't changed anything from the standard configuration, other than installing the certificates. Have you patched Windows XP, including the Wireless update http://support.microsoft.com/default.aspx?scid=kb;en-us;826942? The wireless update WPA functionality and they update the ndisuio.sys driver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How does accounting-on/off work with RADIUS proxy?
In the following diagram, if one NAS, for example NAS-2, crashes and comes back, it will send system account-on message for RADIUS server to clean up previous sessions. But if a RADIUS proxy server is used in the middle, how can the true RADIUS server distingush the previous sessions on NAS-2 from sessions on other NASes? NAS-1 --| | NAS-2 --| |-- Proxy RADIUS Server --True RADIUS Server ...| | NAS-N --| __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How does accounting-on/off work with RADIUS proxy?
Zhiqiang Hu writes: In the following diagram, if one NAS, for example NAS-2, crashes and comes back, it will send system account-on message for RADIUS server to clean up previous sessions. But if a RADIUS proxy server is used in the middle, how can the true RADIUS server distingush the previous sessions on NAS-2 from sessions on other NASes? NAS-1 --| | NAS-2 --| |-- Proxy RADIUS Server --True RADIUS Server ...| | NAS-N --| The Account_On and Account_Off queries should operate on the content of NAS-IP-Address, not Client-IP-Address. Even after passing through a RADIUS proxy the NAS-IP-Address must identify the NAS, whereas the Client-IP-Address identifies the machine that gave the packet to the current RADIUS server. -- Paul TBBle Hampson, on a webmail client! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
